diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 29be7ff7..de671e73 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -11,6 +11,7 @@ name: Create Release permissions: contents: write + actions: read jobs: build-macos-windows: @@ -35,7 +36,39 @@ jobs: uses: Swatinem/rust-cache@9d47c6ad4b02e050fd481d890b2ea34778fd09d6 - name: Build run: cargo build --profile superoptimized --locked --target ${{ matrix.target }} - - uses: actions/upload-artifact@v4 + - name: Upload unsigned Windows artifact + if: matrix.os == 'windows-latest' + id: upload_unsigned + uses: actions/upload-artifact@v4 + with: + name: unsigned-windows + path: target/${{ matrix.target }}/superoptimized/sqlpage.exe + if-no-files-found: error + + - name: Submit signing request to SignPath + if: matrix.os == 'windows-latest' + id: signpath + uses: signpath/github-action-submit-signing-request@v1.1 + with: + api-token: ${{ secrets.SIGNPATH_API_TOKEN }} + organization-id: '45fd8443-c7ca-4d29-a68b-608948185335' + project-slug: 'sqlpage' + signing-policy-slug: 'release-signing' + github-artifact-id: ${{ steps.upload_unsigned.outputs.artifact-id }} + wait-for-completion: true + output-artifact-directory: './signed-windows' + + - name: Upload signed Windows artifact + if: matrix.os == 'windows-latest' + uses: actions/upload-artifact@v4 + with: + name: sqlpage windows-latest + path: signed-windows/sqlpage.exe + if-no-files-found: error + + - name: Upload artifact (non-Windows) + if: matrix.os != 'windows-latest' + uses: actions/upload-artifact@v4 with: name: sqlpage ${{ matrix.os }} path: target/${{ matrix.target }}/superoptimized/sqlpage${{ matrix.binary_extension }} diff --git a/CHANGELOG.md b/CHANGELOG.md index 65d83c4d..124126a3 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,8 @@ # CHANGELOG.md ## v0.37.0 + - We now cryptographically sign the Windows app during releases, which proves the file hasn’t been tampered with. Once the production certificate is active, Windows will show a "verified publisher" and should stop showing screens saying "This app might harm your device", "Windows protected your PC" or "Are you sure you want to run this application ?". + - Thanks to https://signpath.io for providing us with a windows signing certificate ! - Added a new parameter `encoding` to the [fetch](https://sql-page.com/functions.sql?function=fetch) function: - All [standard web encodings](https://encoding.spec.whatwg.org/#concept-encoding-get) are supported. - Additionally, `base64` can be specified to decode binary data as base64 (compatible with [data URI](https://developer.mozilla.org/en-US/docs/Web/HTTP/Basics_of_HTTP/Data_URIs)) diff --git a/README.md b/README.md index eaf62d14..051ca3f4 100644 --- a/README.md +++ b/README.md @@ -322,3 +322,10 @@ We welcome contributions! SQLPage is built with Rust and uses vanilla javascript for its frontend parts. Check out our [Contributing Guide](./CONTRIBUTING.md) for detailed instructions on development setup, testing, and pull request process. + +# Code signing policy + +Our windows binaries are digitally signed, so they should be recognized as safe by Windows. +Free code signing provided by [SignPath.io](https://about.signpath.io/), certificate by [SignPath Foundation](https://signpath.org/). [Contributors](https://github.com/sqlpage/SQLPage/graphs/contributors), [Owners](https://github.com/orgs/sqlpage/people?query=role%3Aowner). + +This program will not transfer any information to other networked systems unless specifically requested by the user or the person installing or operating it \ No newline at end of file